Connection String Injection

Description

Applications use connection strings to specify credentials used to access databases. If the application includes unvalidated user input in connection strings, an attacker might be able to change what databases the application connects to. Connection string injection vulnerabilities apply to applications that connect to databases.

Impact

By manipulating the connection string, an attacker is able to cause the application to connect to an unintended data source. The attacker might be able to bypass authentication by re-routing the application to use their own database. The attacker might also get data from another database by re-routing the application to use it. The exact impact of a connection string injection vulnerability is difficult to predict because it is heavily dependent on application logic. Overall, the connection string vulnerability is difficult for an attacker to use, but it is still a serious vulnerability.

Application Check

To check for adequate protection against connection string injection vulnerabilities, find all connection strings used by the application and verify that all input is validated, connection strings are stored securely, and user input is not used in connection strings.

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

Creating Secure Code – .NET 4.0 Foundations

This course describes .NET security features, including concepts such as Code Access Security (CAS) and .NET cryptographic technologies. It also provides secure coding best practices that will enable you to build more secure applications in .NET.

Fundamentals of Secure Database Development

This course introduces developers to the fundamentals of secure database development. The course begins with a discussion on the role of databases and how they are used in today's software systems. It also discusses the common database attacks that could be used to cause significant loss to organizations. Next, it reviews the best practices that developers should incorporate to mitigate the risks from database attacks, including practices that developers should avoid. Finally, the course concludes with a walk-through of a software system scenario that allows you to apply the database attacks and developer best practices discussed throughout the course.

Creating Secure Code – Oracle Foundations

This course consists of three modules. The first module introduces you to database security and the challenges faced in developing secure database-driven applications. The second module covers important application development security basics as well as best practices. The third module covers common security attacks that impact Oracle database developers and the recommended countermeasures to mitigate risks from those attacks.

Creating Secure Code – SQL Server

In this course, you will learn about securely developing applications using Microsoft SQL Server database versions 2008 and 2012. This course consists of three modules. The first module introduces you to database security and the challenges faced in developing secure database-driven applications. The second module covers important application development security basics as well as best practices. The third module covers common security attacks that impact SQL server database developers and the recommended mitigation to reduce risks from those attacks.